1

Licenses, Contributions, Support or the lack thereof An inside look from the Open Source community

Martin Winter Network Device Education Foundation

Who am I?

‣  Who is NetDEF / Open Source Routing ? •  501(c)(3) Non-Profit Organization •  Mostly Working on Quagga Routing Daemon

(OpenSourceRouting.org)

‣  Who is Martin Winter ? •  4 yrs @ Exodus Network Architecture (and Router Testing) •  4 yrs @ Cisco trying to build better IOS •  5 yrs @ Cisco working with ISPs on testing routers •  And now trying to ignite the open source routing revolution -  Working on Quagga for “only” 3½ years -  Working Group Chair for Open Source with RIPE

2

Believer in real innovation will be driven by Open Source

Why Open Source?

4

A few reasons to at least start thinking about Open Source

Money Could be much cheaper. Why develop on your own or buy it, if it’s already there for $0 (only “unusual” license)

Education, Research

Research needs platforms to build on for new features and proof of concepts.

Your Features

Missing a feature? Need a special feature to distinguish from the competition? You have access to the source code. No more begging the vendor

Support Not just one company is setting the schedule on what the fix and when you get the software fix. Do it yourself or find someone to match your requests

5

Open Source Licenses (*)

Battle between giving everything away for free without restriction and keeping the project alive

* This talk ignores the non-free “Open Source Licenses” where the software is traditionally sold and full/partial source is available under NDA or severe restrictions

Main license restrictions

6

And their potential reasons

Attribution required

Publishing Changes &

Source

Patent Protection

•  Getting awareness for project (helps funding)

•  Getting awareness for author (great for resume!) •  Is it really that hard to publically “thank” someone

in exchange for free help?

•  We help you, you help us…

•  Limiting ability to sell something you got for free (and profit from it)

•  Very few donate money, so at least help with code

•  Don’t steal its ideas and sue others out of existence if they have a better product than your commercial code

Aren’t these all “hobby” projects?

‣  Most of the maintained projects have people dedicated part or full time

•  Individuals often passionately dedicated to the cause

•  Learn to work with each specific community

‣  Many projects require highly specialized knowledge and lots of time

•  Not your average student

‣  Infrastructure (Testing!) can cost $$$$$

7

“I assumed this is collective work done in ‘spare’ time”

What does it take for Open Source

8

Same as for any software and much more than just a few lines of code

Write new code

Write Bug fixes

Code Review

Testing

Support

Percentage may vary between projects. This is just an example

What does it take for Open Source

9

Write new code

Write Bug fixes

Code Review

Testing

Support

Percentage may vary between projects. This is just an example

How are YOU giving back to the project in exchange for the code?

$ Money

10

Please respect the licenses! It’s your choice to use Open Source and you depend on the projects to survive. Or even better: Convince your company to acknowledge the use and give back in some way

Back to Licenses at least

11

An example for the future to avoid

Remember Heartbleed?

12

‣  OpenSSL project donations before it happened:

•  $2000 per year

‣  OpenSSL users:

•  Everyone. Nearly every product with SSL used the library

Remember Heartbleed?

Did we learn from it?

13

Remember Heartbleed? Martin,   I hope this email finds you well.  I am reaching out from Vasco Data Security to discuss how we can help you and your users cope with the aftermath of the Heartbleed Bug.   MYDIGIPASS, Vasco’s cloud based solution utilizes enterprise-grade Two-Factor Authentication (2FA) and One-Time Passwords (OTPs) to add a necessary level of security while maintaining a simple and familiar sign-on process.  Since OTPs can only be used once, and for a limited amount of time, the MYDIGIPASS system provides the ultimate tool for Heartbleed mitigation and ongoing end user account security.   I would appreciate a few minutes to set up a very brief discovery call with you or one of your team members to discuss how VASCO can help you and your users minimize Heartbleed damage and address future security risks. Please let me know if you have 15 minutes for a call this week or the next.   I look forward to hearing back from you,   - XXXXXX YYYYYY   XXXXX YYYYYY | Sales Representative | Vasco Data Security | XXXXX.YYYYY@vasco.com  O: XXX-XXX-XXXX | www.mydigipass.vasco.com | www.vasco.com

14

Remember Heartbleed? Martin,   I hope this email finds you well.  I am reaching out from Vasco Data Security to discuss how we can help you and your users cope with the aftermath of the Heartbleed Bug.   MYDIGIPASS, Vasco’s cloud based solution utilizes enterprise-grade Two-Factor Authentication (2FA) and One-Time Passwords (OTPs) to add a necessary level of security while maintaining a simple and familiar sign-on process.  Since OTPs can only be used once, and for a limited amount of time, the MYDIGIPASS system provides the ultimate tool for Heartbleed mitigation and ongoing end user account security.   I would appreciate a few minutes to set up a very brief discovery call with you or one of your team members to discuss how VASCO can help you and your users minimize Heartbleed damage and address future security risks. Please let me know if you have 15 minutes for a call this week or the next.   I look forward to hearing back from you,   - XXXXXX YYYYYY   XXXXX YYYYYY | Sales Representative | Vasco Data Security | XXXXX.YYYYY@vasco.com  O: XXX-XXX-XXXX | www.mydigipass.vasco.com | www.vasco.com

Why this is just wrong...

•  The product uses OpenSSL as well and was affected by it.

•  They did NOT support OpenSSL before

•  They did NOT even talking about supporting OpenSSL after this incident, but instead talk about making more money in their own pocket based on a bug in a core component in their own software which they got for free.

•  The bug affected hijacking (encryption) and not authentication. All the 2FA and OTP are nice buzzwords, but have no meaning here

15

Martin Winter mwinter@netdef.org

Thank you / Questions ?

OpenSourceRouting (Quagga) www.opensourcerouting.org

Network Device Education Foundation (NetDEF) www.netdef.org